Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 22
Configuring HWTACACS schemes ····················································································································· 30
Configuring LDAP schemes ·································································································································· 36
Configuration prerequisites ·································································································································· 40
Creating an ISP domain ······································································································································· 40
Configuring ISP domain status ····························································································································· 40
Displaying and maintaining AAA ································································································································ 44
AAA configuration examples ········································································································································ 44
Troubleshooting RADIUS ··············································································································································· 56
RADIUS authentication failure ······························································································································ 56
RADIUS packet delivery failure ···························································································································· 56
RADIUS accounting error ····································································································································· 57
Troubleshooting HWTACACS ······································································································································ 57
Troubleshooting LDAP ···················································································································································· 57
802.1X overview ······················································································································································· 59
802.1X architecture ······················································································································································· 59
802.1X-related protocols ·············································································································································· 60
Packet formats ························································································································································ 61
EAP over RADIUS ·················································································································································· 62
Initiating 802.1X authentication ··································································································································· 62
802.1X client as the initiator································································································································ 62
Access device as the initiator ······························································································································· 63
802.1X authentication procedures ······························································································································ 63
EAP relay ································································································································································ 64
i